package com.zengdada.authority.config.security.intercept;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Service;

import javax.servlet.ServletContext;
import java.util.Collection;

@Service
public class MyAccessDecisionManager implements AccessDecisionManager {

    @Autowired
    private ServletContext servletContext;

    @Autowired
    private AuthorityUtil authorityUtil;

    /**
     * 检查用户是否够权限访问资源
     * authentication 是从spring的全局缓存SecurityContextHolder中拿到的，里面是用户的权限信息
     * object 是url
     * configAttributes 所需的权限
     *
     * @see org.springframework.security.access.AccessDecisionManager#decide(org.springframework.security.core.Authentication, Object, Collection)
     */
    @Override
    public void decide(Authentication authentication, Object object,
                       Collection<ConfigAttribute> configAttributes)
            throws AccessDeniedException, InsufficientAuthenticationException {
        // 对应url没有权限时，直接跳出方法
        if (configAttributes == null || configAttributes.equals(MyFilterInvocationSecurityMetadataSource.ROLE_ANONYMOUS))
            return;
        if (!"".equals(authentication.getCredentials()) && !servletContext.getAttribute("security_power_version").equals(authentication.getCredentials())) {
            authentication = authorityUtil.updateAuthority();
        }
        try {
            if (authorityUtil.isSuperAdministrator()) return;
        } catch (Exception e) {
        }
        for (ConfigAttribute ca : configAttributes) {
            for (GrantedAuthority ga : authentication.getAuthorities()) {
//                System.out.println(":::::::::::::" + ga.getAuthority());
                if (ca.getAttribute().equals(ga.getAuthority())) {
                    return;
                }
            }
        }

//        Iterator<ConfigAttribute> ite = configAttributes.iterator();
//        //判断用户所拥有的权限，是否符合对应的Url权限，如果实现了UserDetailsService，则用户权限是loadUserByUsername返回用户所对应的权限
//        while (ite.hasNext()) {
//            ConfigAttribute ca = ite.next();
//            String needRole = ((SecurityConfig) ca).getAttribute();
//            for (GrantedAuthority ga : authentication.getAuthorities()) {
//                System.out.println(":::::::::::::" + ga.getAuthority());
//                if (needRole.equals(ga.getAuthority())) {
//                    return;
//                }
//            }
//        }
        //注意：执行这里，后台是会抛异常的，但是界面会跳转到所配的access-denied-page页面
        throw new AccessDeniedException("no right");
    }

    @Override
    public boolean supports(ConfigAttribute attribute) {
        return true;
    }

    @Override
    public boolean supports(Class<?> clazz) {
        return true;
    }

}
